Commit Graph

111 Commits (74326a43e7cff0665c6973abad9b4accfcfb952d)

Author SHA1 Message Date
Philippe Antoine 6a6aa04f55 dnp3-gen: fix heap buffer overflow in generated code
Due to missing check before memcpy.
8 years ago
Eric Leblond 3c68a22092 suricatasc: implement autoreconnect
Implement a basic autoreconnect support. It tries to reconnect once
when connection has been lost. If it fails, it discards the command
and try again to connect at next command.
8 years ago
Eric Leblond 3d0ba36ba8 unix socket: protocol v0.2
This patch updates the unix socket protocol. Messages send from
the server and the client have now a '\n' at the end. This allows
both sides to detect easily the end of a command.

As a side effect, this fixes the problem of long answer in
suricatasc. There is now a limit at the arbitrary value of 65536.

Backward compatility is preserved as a client with the older
version of the protocol can still connect to a Suricata with
version 2 of the protocol.
8 years ago
Jason Ish 3fd7256af5 setup-app-layer-detect: update for changes in detect 8 years ago
Danny Browning 0813f08075 suricatasc: pcap-file-continuous (2412)
https://redmine.openinfosecfoundation.org/issues/2412

Suricatasc is not supporting pcap-file processing in continuous mode.
Register a new command pcap-file-continuous in the unix manager to work
with suricatasc. Add defaulted arguments for pcap-file to support
backwards compatibility.
8 years ago
Jason Ish 46d754044e suricatasc: don't use find -delete
For when -delete isn't supported by find. Instead use
-print0 with xargs -0.
8 years ago
Giuseppe Longo 16ddba61d6 suricatasc: add commands for memcap handling 8 years ago
Jason Ish 84f09d5124 template scripts: fixup detect setup scripts
Update scripts to reflect recent changes in the detection files.
8 years ago
Dana Helwig 3ab9120821 source-pcap-file: Pcap Directory Mode (Feature #2222)
https://redmine.openinfosecfoundation.org/issues/2222

Pcap file mode that when passed a directory will process all files in
that directory. If --pcap-file-continuous or continuous option is passed
in json, the directory will be monitored  until the directory is
moved/deleted, suricata is interrupted, or the pcap-interrupt command
is used with unix command socket. Existing file implementation and new
directory implementation has moved from source-pcap-file into
pcap-file-helper and pcap-directory-helper.

Engine state will not reset between files.

Also satisfies:
 * https://redmine.openinfosecfoundation.org/issues/2299
 * https://redmine.openinfosecfoundation.org/issues/724
 * https://redmine.openinfosecfoundation.org/issues/1476

Co-Authors: Dana Helwig <dana.helwig@protectwise.com> and
Danny Browning <danny.browning@protectwise.com>
8 years ago
Pierre Chifflier 862abd2fe4 applayer: add StringToAppProto
Add StringToAppProto to map a protocol name to a AppProto.

Exposing this function is required to let parsers discover their
AppProto identifier constant dynamically.
For example, a parser can request this value, and use it for
registration without knowing the value.
8 years ago
Jason Ish 40a1a972d6 template: script to check the setup scripts
This script applies the setup scripts one by one followed
by a make distcheck.
8 years ago
Jason Ish d1ac839333 template scripts: allow to be called from top or src
Allow the template setup script to be called from the top source
directory or from ./src to unify where they can be executed
from.
8 years ago
Jason Ish ea2ef1b51a templates: rename scripts to use - instead of _
Use "-" consistently instead of a mix of - and _.

setup_decoder.sh -> setup-decoder.sh
setup_simple_detect.sh -> setup-simple-detect.sh
8 years ago
Victor Julien 499afaba4b template: fix decoder setup script 8 years ago
Victor Julien 7783847467 template: fix setup detect script 8 years ago
Jason Ish 6bddc4d3e0 python: use python path found during configure
Also look for Python under more names. For example, on OpenBSD
if you just install Python 2, you will only get a python2.7
executable.
8 years ago
Jason Ish ac7cf48a98 dnp3: in template, include files own headers
To deal with -Wmissing-prototypes as added in
ab1200fbd7

Note: Change was already applied to source files, this just
updates the generation.
9 years ago
Jason Ish e69ce30d87 template script: typo in app-layer setup script
Check for ed was failing, as it was actually looking for edx.
9 years ago
Victor Julien 8fde6f967f suricatasc: add/list/remove hostbit commands
Syntax:
    add-hostbit <ip> <bit name> <expire>
Example:
    add-hostbit 1.2.3.4 blacklist 3600

Syntax:
    remove-hostbit <ip> <bit name>
Example:
    remove-hostbit 1.2.3.4 blacklist

Syntax:
    list-hostbit <ip>
Example:
    list-hostbit 1.2.3.4
9 years ago
Victor Julien 322c260749 afl: minimalistic script to start AFL fuzzers
in suricata source dir:

mkdir afl
cd afl
bash ../scripts/afl/runafl.sh decoder-ipv4
9 years ago
Victor Julien 6bd265258e afl: util script to list crashed series 9 years ago
Jason Ish f73806211a template script: use bash and require ed
For now these scripts only work in bash, and the "ed" program
is required.
9 years ago
Jason Ish 1abaf1c96d templates: require the protocol name to start with a capital
When running ./setup-app-layer.sh require the protocol name to
start with a capital letter so it looks somewhat like a proper
name. This will help give better function names.

For example:

   ./setup-app-layer.sh IRC
   ./setup-app-layer.sh Irc

will create function names starting with IRC or Irc. But we do
not want function names to start with "irc".
9 years ago
Jason Ish 2a0bb108d0 dnp3-gen: rename index variable to point_index
Gcc 4.6 will warning with -Wshadow for a local variable
named "index" as <strings.h> has a function named "index".

Newer versions of gcc handle this case.
9 years ago
Jason Ish 240d789c40 DNP3: dnp3-gen: code generator for repetitive DNP3 code 9 years ago
Jason Ish bbbc5ab1fc setup-app-layer-logger.sh: update for logging changes 9 years ago
Jason Ish dc2c896781 app-layer setup scripts: enable new modules on copy
The templates are disabled by default, enable the copy
of the template so the new app-layer modules are enabled by
by default.
10 years ago
Jason Ish 84fd28eaed app-layer setup scripts: fix header substitution.
Fixes make distcheck.
10 years ago
Jason Ish 4a738023d5 app-layer: scripts to setup app-layer templates
setup-app-layer.sh sets up an application layer detector and
parser template.

setup-app-layer-logger.sh sets up a JSON application layer
transaction logger for an application parser that has
already been provisioned.

setup-app-layer-detect.sh sets up a keyword for performing
content inspections on buffers created by the application
layer.
10 years ago
Victor Julien a4bce14770 development tools: add script to setup detect module
Simplify creation of a new detect module by creating a copy of the
detect template. It sets the name and registers it in the build
system. Finally it's registration function is called.
10 years ago
Victor Julien 85b00dcfa0 development tools: add script to setup new decoder
Simplify creation of a new decoder.
10 years ago
Victor Julien 4d0975eeac multi-detect: implement reload tenant in suricatasc 10 years ago
Victor Julien a20e43f97c suricatasc: add unregister-tenant-handler 10 years ago
Victor Julien a21e88d955 suricatasc: add register-tenant-handler command
Arguments:
- tenant id (int)
- name of handler (string)
- traffic id related to handler (int, optional)

Examples:
- register-tenant-handler 1 vlan 1111
- register-tenant-handler 8 pcap
10 years ago
Victor Julien 127d8183d7 suricatasc: allow for tenant id in pcap-file
Allow for an optional 'tenant id' argument to pcap-file. This will
allow us to force the pcap to be inspected by this tenant.

If ommited it's 0, which means it's disabled.
10 years ago
Victor Julien 147a6d2bfd multi-detect: (un)register-tenant unix socket commands
Make available to live mode and unix socket mode.

register-tenant:
    Loads a new YAML, does basic validation.
    Loads a new detection engine
    Loads rules
    Add new de_ctx to master store and stores tenant id in the de_ctx so
        we can look it up by tenant id later.

unregister-tenant:
    Gets the de_ctx, moves it to the freelist
    Removes config

Introduce DetectEngineGetByTenantId, which gets a reference to the
detect engine by tenant id.
10 years ago
Alexander Gozman e028917955 In non interactive mode, print errors to stderr 10 years ago
Alexander Gozman a9176cf126 suricatasc: remove "u" prefix when printing JSON output.
If we want to parse suricatasc's output, python's unicode prefix
should be removed to make JSON parsers happy.
10 years ago
Victor Julien 3fbc6ede6b suricatasc: allow for longer response times after connect 11 years ago
Victor Julien 664100c074 suricatasc: allow for much longer response times 11 years ago
Eric Leblond e564ac77fd suricatasc: exit with error if command returns NOK 11 years ago
Eric Leblond 55ccd3b17d suricatasc: now python 2 and 3 compatible
Update code to support both python 2 and python 3.
11 years ago
Victor Julien 84e8217fd8 unix-socket: allow socked in custom locations
Allow the socket to be set in any location. This allows for easy
setting up of a socket as a non-root user.
11 years ago
Eric Leblond 7f68a25535 suricatasc: add -c flag to run command
Add -c flag to run command given as argument and return the raw
JSON result. For example, it is possible to run something like.
 $ suricatasc  -c "iface-stat eth0"
 {'message': {'pkts': 17838352, 'drop': 0, 'invalid-checksums': 1}, 'return': 'OK'}
11 years ago
Eric Leblond 1b9cc03653 suricatasc: factorize command parsing 11 years ago
Noam Meltzer e873443adb fix regression in 'make distclean' due to commit cd305c3a
the files under scripts/suricatasc/src are actual sources and should not
be cleaned
12 years ago
Eric Leblond ff2b8009ef suricatasc: fix make distcheck. 13 years ago
Eric Leblond cd305c3a78 suricatasc: update python packaging
'make install' install now suricatasc script and Python module to
the system. The suricatasc client module can now be used in other
Python projects by using 'import suricatasc'.

A transformation was needed for distribution of a module and a script.
Module in src directory is now containing most of the code and the
script only handle argument parsing and the creation of a unix socket
client through 'suricatasc' module.
13 years ago
Eric Leblond c39c5453e9 suricatasc: refactor as a class
The goal of this commit is to be able to use suricatasc has a library
and and program. This is done by putting all active code in class and
adding a Python magic to detect when file is used as a program.
13 years ago
Eric Leblond 345cfc3541 suricatasc: improve output of command result 13 years ago
Eric Leblond 9fc996e4df suricatasc: treat old server case
If the server don't have the 'command-list' function, suricatasc
was failling. This patch fixes this issue by adding a static list
instead.
13 years ago
Eric Leblond 36519fb4e4 suricatasc: real cmd line parsing and verbose mode
This patch adds commandline parsing and help to suricatasc. It also
adds a verbose mode (-v) where the send and received JSON object are
shown. This should ease development of unix socket client.
13 years ago
Eric Leblond 84322fa556 unix socket: add 'conf-get' command
This patch adds a 'conf-get' command which get the configuration
value from suricata. Argument of the command is the name of the
variable to fetch.
The command syntax is the following:
{
 "command": "conf-get",
 "arguments": { "variable":value}
}
13 years ago
Eric Leblond e3df0d4f5d suricatasc: display command list 13 years ago
Eric Leblond bb639e4a6d suricatasc: add readline completion 13 years ago
Eric Leblond 68c1276433 suricatasc: factorize code and use dynamic commands
This patch factorize the recv code and uses the new 'command-list'
to get the list of existing commands from suricata. This allows
suricatasc to be able to call any new command if this command does
not require an argument.
13 years ago
Eric Leblond 78b5812ae6 unix runmode: add 'pcap-current' command
This command outputs the currently processed file name or 'None'
if no file is currently processed.
13 years ago
Eric Leblond fc7e6c4a3d unix socket: implement command-list command 13 years ago
Eric Leblond cc71c993f4 unix-command: add iface information command.
This patch adds two commands to unix-command. 'iface-list' displays
the list of interface which are sniffed by Suricata and 'iface-stat'
display the available statistics for a single interface. For now,
this is the number of packets and the number of invalid checksums.
13 years ago
Eric Leblond 83f0af3630 suricatasc: improve reading when system is loaded 13 years ago
Eric Leblond 20a8b9dbe5 unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
 * Client connects to the socket
 * It sends a version message: { "version": "$VERSION_ID" }
 * Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.

The format of command is the following:
 {
   "command": "pcap-file",
   "arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
 }
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
 {
   "return": "OK|NOK",
   "message": JSON_OBJECT or information string
 }

A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code.  The first command line argument of suricatasc is
used to specify the socket to connect to.

Configuration of the feature is made in the YAML under the 'unix-command'
section:
  unix-command:
    enabled: yes
    filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.

A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.

To start this mode, Suricata must be started with the --unix-socket
 option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.

THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.

This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.

Two other commands exists to get info on the remaining tasks:
 * pcap-file-number: return the number of files in the waiting queue
 * pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
 {
  'count': 2,
  'files': ['file1.pcap', 'file2.pcap']
 }
13 years ago